b'               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     Congressionally Requested\n                     Inquiry Into the EPA\xe2\x80\x99s Use of\n                     Private and Alias Email Accounts\n\n                     Report No. 13-P-0433               September 26, 2013\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:\t                              Rudolph M. Brevard\n                                                   Michael Goode\n                                                   Eric K. Jackson Jr.\n                                                   Teresa Richardson\n                                                   Gina Ross\n                                                   Sabrena Stewart\n\n\n\n\nAbbreviations\n\nCFR           Code of Federal Regulations\nEPA           U.S. Environmental Protection Agency\nGAO           U.S. Government Accountability Office\nNARA          National Archives and Records Administration\nNRPM          National Records Management Program\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  email:     OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue, NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                       U.S. Environmental Protection Agency                                                   13-P-0433\n                       Office of Inspector General                                                    September 26, 2013\n\n\n\n\n                       At a Glance\nWhy We Did This Review              Congressionally Requested Inquiry Into the EPA\xe2\x80\x99s\nWe conducted this audit in          Use of Private and Alias Email Accounts\nresponse to a request by the\nU.S. House of Representatives        What We Found\nCommittee on Science, Space,\n                                    We found no evidence that the EPA used, promoted or encouraged the use of private\nand Technology for information\n                                    \xe2\x80\x9cnon-governmental\xe2\x80\x9d email accounts to circumvent records management\nabout the U.S. Environmental\n                                    responsibilities or reprimanded, counseled or took administrative actions against\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)\n                                    personnel for using private email or alias accounts for conducting official government\npractices when using private and\n                                    business. EPA senior officials said they were aware of the agency records\nalias email accounts to conduct\n                                    management policies and, based only on discussions with these senior officials, the\nofficial business.\n                                    OIG found no evidence that these individuals had used private email to circumvent\n                                    federal recordkeeping responsibilities.\nThe EPA\xe2\x80\x99s records management\nprogram is managed through the\n                                    The previous EPA Administrator and the then Acting EPA Administrator who followed\nagency\xe2\x80\x99s National Records\nManagement Program. The             were issued two EPA email accounts. One account was made available to the public\nagency\xe2\x80\x99s records officer, located   to communicate with the EPA Administrator and the other was used to communicate\nwithin the Office of                internally with EPA personnel. This was the common practice for previous\nEnvironmental Information,          Administrators. The practice is widely used within the agency and is not limited to\nis responsible for leading the      senior EPA officials. These secondary EPA email accounts present risks to records\nprogram in accordance with EPA      management efforts if they are not searched to preserve federal records.\npolicy, procedures, and federal\nstatutes and regulations.           The agency recognizes it is not practical to completely eliminate the use of private\n                                    email accounts. However, the agency had not provided guidance on preserving\nThis report addresses the           records from private email accounts. The EPA has not implemented oversight\nfollowing EPA theme:                processes to ensure locations provide consistent and regular training on records\n                                    management responsibilities, and employees complete available training on their\n                                    delegated National Records Management Program duties. Inconsistencies in\n \xef\x82\xb7 Embracing EPA as a high\n                                    employee out-processing procedures pose risks that federal records are not identified\n   performing organization.\n                                    and preserved before an employee departs the agency. EPA also lacks an automated\n                                    tool to create federal records from its new email system.\n\n                                     Recommendations and Planned Agency Corrective Actions\n\n                                    We recommend that the assistant administrator for the Office of Environmental\n                                    Information develop and implement oversight processes to update agency guidance\n                                    on the use of private email accounts, train employees and contractors on records\n                                    management responsibilities, strengthen relationships between federal records\n                                    preservation and employee out processing, and deliver a system to create federal\n                                    records from the new system. The EPA concurred with many of our\n                                    recommendations but did ask that we clarify aspects of two findings. The agency has\n                                    either completed recommended actions or plans to take corrective actions to address\n                                    our findings.\nFor further information,\ncontact our public affairs\noffice at (202) 566-2391.\n                                     Noteworthy Achievements\n\n                                    EPA created a records policy to provide guidance to personnel regarding roles and\nThe full report is at:              responsibilities for records management. In fiscal year 2009, the EPA declared\nwww.epa.gov/oig/reports/2013/       electronic content management an agency-level weakness. In its fiscal year 2012\n20130926-13-P-0433.pdf              Agency Financial Report, the EPA cited as part of its corrective action plan that it\n                                    launched two pilot projects to evaluate tools for eDiscovery and the management of\n                                    email records. Over the past 4 years, the EPA has taken various actions to close out\n                                    this agency-level weakness.\n\x0c                          UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                       WASHINGTON, D.C. 20460\n\n\n\n                                                                                        THE INSPECTOR GENERAL\n\n\n\n                                          September 26, 2013\n\nMEMORANDUM\n\nSUBJECT:       Congressionally Requested Inquiry Into the EPA\xe2\x80\x99s Use of\n               Private and Alias Email Accounts\n               Report No. 13-P-0433\n\nFROM:          Arthur A. Elkins Jr.\n\nTO:            Renee Wynn, Acting Assistant Administrator and Chief Information Officer\n               Office of Environmental Information\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems\nthe OIG identified and the corrective actions the OIG recommends. This report represents the opinion of\nthe OIG and does not necessarily represent the final EPA position.\n\nAction Required\n\nThe EPA agreed with all five of our recommendations. The agency completed agreed-upon corrective \n\nactions associated with recommendations 1 and 2 and the OIG considers these recommendations closed. \n\nRecommendations 3 through 5 are considered open with agreed-upon corrective actions pending. \n\nWe accept EPA\xe2\x80\x99s response and planned corrective actions and no further response is needed.\n\t\n\nIf you or your staff have any questions regarding this report, please contact Richard Eyermann, the acting \n\nassistant inspector general for the Office of Audit, at (202) 566-0565 or eyermann.richard@epa.gov; or \n\nRudolph Brevard, director for Information Resources Management Audits, at (202) 566-0893 or \n\nbrevard.rudy@epa.gov. \n\n\x0cCongressionally Requested Inquiry Into the EPA\xe2\x80\x99s                                                                            13-P-0433\nUse of Private and Alias Email Accounts\n\n\n                                   Table of Contents \n\n\nChapters\n   1     Introduction .......................................................................................................      1\n\n\n                 Purpose ......................................................................................................    1     \n\n                 Background ................................................................................................       1     \n\n                 Noteworthy Achievements ...........................................................................               2     \n\n                 Scope and Methodology .............................................................................               3     \n\n\n   2     The EPA\xe2\x80\x99s Use of Private and Alias Email Accounts .....................................                                   5\n\n\n                 Results of Review .......................................................................................         5\n\n\n                          The EPA Lacks Records Management Policies and Procedures \n\n                             Regarding Private Email Account Usage.....................................                            6\n\n                          The EPA Lacks Records Management Training for \n\n                             Private and Alias Email Usage.....................................................                    7\n\n                          The EPA Lacks Practices for Collecting and Preserving Records \n\n                             Records for Employees Separating From Regional Offices.........                                       8\n\n                          The EPA Lacks Tool to Place Email in Its Electronic Content \n\n                            Management System for Its New Email System .........................                                  10 \n\n\n                 Agency Actions Prior to Issuance of Final Report .......................................                         10 \n\n\n                 Recommendations ......................................................................................           11 \n\n\n                 Agency Response and OIG Evaluation .......................................................                       12 \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                        13\n\n\n\n\nAppendices\n   A     Agency Response to Draft Report....................................................................                      14\n\n\n   B     Distribution .........................................................................................................   22\n\n\x0c                                  Chapter 1\n\n                                   Introduction\n\nPurpose\n            We conducted this audit in response to a U.S. House of Representatives\n            Committee on Science, Space, and Technology request for information about\n            whether the U.S. Environmental Protection Agency (EPA) follows applicable\n            laws and regulations when using private and alias email accounts to conduct\n            official business. Specifically, in response to the committee\xe2\x80\x99s request, the Office\n            of the Inspector General (OIG) sought to determine whether the EPA:\n\n               \xef\x82\xb7  Promoted or encouraged the use of private or alias email accounts to\n                  conduct official government business.\n               \xef\x82\xb7 Reprimanded, counseled, or took administrative actions against any\n                  employees using private or alias email accounts.\n               \xef\x82\xb7\t Established and implemented email records management policies and\n                  procedures for collecting, maintaining and accessing records created from\n                  any private or alias email accounts.\n               \xef\x82\xb7\t Provided adequate training to employees concerning the use of private or\n                  alias email accounts to conduct official government business.\n               \xef\x82\xb7\t Established and implemented oversight processes to ensure employees\n                  comply with federal records management requirements pertaining to\n                  electronic records from private or alias email accounts.\n\nBackground\n            National Archives and Records Administration\n\n            The National Archives and Records Administration (NARA) is responsible for\n            overseeing agencies\xe2\x80\x99 adequacy of documentation and records disposition\n            programs and practices. NARA issues regulations and provides guidance and\n            assistance to federal agencies on ensuring adequate and proper documentation of\n            the organization, functions, policies, decision, procedures and essential\n            transactions of the federal government; and ensuring proper records disposition,\n            including standards for improving the management of records.\n\n            Private and Alias Email\n\n            Private email accounts for the purposes of this review are defined as any\n            non- \xe2\x80\x9c.gov\xe2\x80\x9d email addresses used to conduct EPA business. Alias email is defined\n            as a secondary \xe2\x80\x9cepa.gov\xe2\x80\x9d account used to conduct EPA business. EPA stated that\n\n\n\n\n13-P-0433                                                                                         1\n\x0c            alias email accounts have been used by prior EPA Administrators given the large\n            volume of emails sent to their public EPA accounts.\n\n            Agency Record Management\n\n            The EPA manages its official records through its National Records Management\n            Program (NRMP). The Office of Information Collection within the EPA\xe2\x80\x99s Office\n            of Environmental Information oversees the NRMP. The agency records officer is\n            responsible for leading the NRMP in accordance with the EPA policy,\n            procedures, and federal statutes and regulations. The agency records management\n            program lists the following as the agency records officer\xe2\x80\x99s responsibilities:\n\n               \xef\x82\xb7   Developing an overall records management strategy.\n               \xef\x82\xb7   Producing and updating EPA records management policies, procedures,\n                   standards and guidance.\n               \xef\x82\xb7   Cooperating with other units in developing policies and guidance on the\n                   application of technology to records management.\n               \xef\x82\xb7   Conducting specialized briefings on records management.\n               \xef\x82\xb7   Assisting records programs across the agency with advice and technical\n                   expertise.\n\nNoteworthy Achievements\n            The EPA took steps to improve its records management practices. For example,\n            the EPA created a records policy to provide guidance to personnel on the roles\n            and responsibilities pertaining to records management. In addition, in fiscal year\n            2009, the EPA declared electronic content management an agency-level\n            weakness. In its fiscal year 2012 Agency Financial Report, the EPA stated that it\n            has either completed or initiated the following corrective actions to address this\n            agency-level weakness:\n\xef\x80\xa0\n               \xef\x82\xb7  Established a new Quality Information Council Electronic Content\n                  Subcommittee.\n               \xef\x82\xb7 Developed a charter for the subcommittee.\n               \xef\x82\xb7 Established two enterprise-wide workgroups under the subcommittee.\n               \xef\x82\xb7 Developed interim procedures to address the storage and preservation of\n                  electronically stored information.\n               \xef\x82\xb7\t Launched two pilot projects to evaluate tools for eDiscovery and the\n                  management of email records. The results of the pilot projects will be used to\n                  inform the subcommittee\xe2\x80\x99s decisions on future policy or tool implementation.\n\n            The agency has also stated that it will develop a validation strategy to assess the\n            effectiveness of various activities undertaken to redress the identified weakness.\n            The validation strategy will consist of processes that allow the agency to review\n            and determine whether policies and tools are being implemented and utilized.\n\n\n\n13-P-0433                                                                                         2\n\x0cScope and Methodology\n            We conducted this audit from December 2012 to June 2013. We performed this\n            audit in accordance with generally accepted government auditing standards.\n            Those standards require that we plan and perform the audit to obtain sufficient\n            and appropriate evidence to provide a reasonable basis for our findings and\n            conclusions based on the audit objectives.\n\n            To obtain a broad understanding of EPA officials records management\n            responsibilities, we reviewed agency records management policies and procedures;\n            the Code of Federal Regulations (CFR) in 36 CFR Chapter XII \xe2\x80\x93 National Archives\n            and Records Administration; Office and Management Budget (OMB) Circular\n            A-123, Management\xe2\x80\x99s Responsibilities for Internal Control; and OMB Circular\n            A-130, Management of Federal Information Resources.\n\n            We met with the then Acting EPA Administrator (currently the Deputy\n            Administrator), staff and officials from the Office of the Administrator, officials\n            from the Office of General Counsel, and appointed or acting assistant and\n            regional administrators from the following program and regional offices, to gather\n            an understanding of their background and experience with federal records\n            requirements:\n\n               \xef\x82\xb7   Office of Environmental Information\n               \xef\x82\xb7   Office of Air and Radiation\n               \xef\x82\xb7   Office of International and Tribal Affairs\n               \xef\x82\xb7   Office of Research and Development\n               \xef\x82\xb7   Office of Chemical Safety and Pollution Prevention\n               \xef\x82\xb7   Region 2, New York, New York\n               \xef\x82\xb7   Region 3, Philadelphia, Pennsylvania\n               \xef\x82\xb7   Region 6, Dallas, Texas\n               \xef\x82\xb7   Region 8, Denver, Colorado\n               \xef\x82\xb7   Region 9, San Francisco, California\n\n            We met with offices\xe2\x80\x99 information management officers, senior information\n            officials, regional records officers, records liaison officers, email administrators,\n            human resource directors, and Freedom of Information Act officers responsible\n            for implementing and complying with the EPA federal records guidance. We also\n            met with the EPA representative responsible for the direct oversight of the\n            agency\xe2\x80\x99s NRMP regarding that oversight and to obtain an understanding of the\n            implemented internal controls around EPA\xe2\x80\x99s ability to maintain electronic records\n            and other records management practices.\n\n            We also met with the former Region 8 regional administrator to gain his\n            perspective on what EPA could do to strengthen its electronic records\n            management practices. We requested interviews with the most recent former\n            EPA Administrator and general counsel to gain their perspective on the agency\xe2\x80\x99s\n\n\n13-P-0433                                                                                       3\n\x0c            records management practices. We did not receive a response from these two\n            former employees on our requests for interviews.\n\n            We followed up on the status of recommendations made by the U.S. Government\n            Accountability Office (GAO) in its report National Archives and Selected\n            Agencies Need to Strengthen Email Management (GAO-08-742), issued\n            June 2008. The report recommended that the EPA:\n\n               \xef\x82\xb7\t Revise the agency\xe2\x80\x99s policies to ensure that they appropriately reflect\n                  NARA\xe2\x80\x99s requirement on instructing staff on the management and\n                  preservation of email messages sent or received from nongovernmental\n                  email systems.\n\n               \xef\x82\xb7\t Develop and apply oversight practices, such as reviews and monitoring of\n                  records management training and practices, that are adequate to ensure\n                  that policies are effective and staff are adequately trained and\n                  implementing policies appropriately.\n\n            The GAO noted that the EPA was in the process of improving the implementation\n            of its electronic content management system in order to collect federal records\n            within the agency\xe2\x80\x99s email system.\n\n\n\n\n13-P-0433                                                                                  4\n\x0c                                  Chapter 2\n\n  The EPA\xe2\x80\x99s Use of Private and Alias Email Accounts\xc2\xa0\n            The EPA lacks internal controls to ensure the identification and preservation of\n            records when using private and alias email accounts for conducting government\n            business. The agency lacks controls to ensure agency employees and contractors\n            are trained on the records management responsibilities and a process to create\n            records from its new email system. Federal guidance issued by NARA requires\n            agencies to appropriately identify and preserve records for its decisions. Federal\n            guidance also specifies records management training requirements as well as the\n            requirements when using automated systems to preserve email records. The\n            weaknesses noted occurred because the EPA had not created records management\n            policies and procedures for private email account usage, and had not conducted\n            oversight to ensure employees and contractors were provided consistent and\n            regular training on records management responsibilities. Further, the EPA lacks\n            controls to ensure out-processing procedures identify potential records, and lacks\n            an automated process to create federal records from its new email system. If these\n            critical issues are not corrected, the agency faces the risk that records needed to\n            document the EPA\xe2\x80\x99s decisions would not be available. This could potentially\n            undermine the public\xe2\x80\x99s confidence in the transparency of the EPA\xe2\x80\x99s operations\n            and ultimately erode the public\xe2\x80\x99s trust in the agency\xe2\x80\x99s stewardship of the nation\xe2\x80\x99s\n            environmental programs.\n\nResults of Review\n            We found no evidence to support that the EPA used, promoted, or encouraged the\n            use of private email accounts to circumvent records management responsibilities.\n            Furthermore, EPA senior officials indicated that they were aware of the agency\n            records management policies and, based only on discussions with these senior\n            officials, the OIG found no evidence that these individuals had used private or alias\n            email to circumvent federal recordkeeping responsibilities. We noted that the\n            previous EPA Administrator and the subsequent Acting EPA Administrator\n            (the Deputy Administrator) each had two EPA email accounts, one intended for\n            messages from the public and one for communicating with select senior EPA\n            officials. Interviews with selected assistant and regional administrators and records\n            management officials disclosed that the practice of assigning personnel access to\n            multiple email accounts is widely practiced within the agency. We found no\n            evidence to support that the EPA reprimanded, counseled or took administrative\n            actions against personnel for using private and alias email accounts.\n\n            Personnel have access to multiple EPA email accounts for various purposes.\n            These include sending out mass email notifications, transmitting or receiving\n            documents in support of special projects, or linking the email account to an\n            agency publicly available website to provide the public with a method to\n\n\n13-P-0433                                                                                     5\n\x0c            correspond with the EPA. Each of these additionally assigned email accounts\n            could potentially contain federal records or other documents subject to Freedom\n            of Information Act requests or litigation holds. Our audit disclosed that these\n            secondary email accounts present risks to the agency\xe2\x80\x99s records management\n            efforts if they are not searched to preserve federal records.\n\n            In addition to needed improvements over internal controls surrounding secondary\n            email accounts, more oversight is needed to strengthen policies and procedures\n            regarding the use of private email accounts, processes for training employees and\n            contractors on their records management responsibilities, and practices for\n            preserving records when employees depart the agency. The EPA should also ensure\n            that it implements a tool to create records directly from its new email system.\n\n            The EPA Lacks Records Management Policies and Procedures\n            Regarding Private Email Account Usage\n\n            The EPA lacks consistent practices regarding what steps employees should take to\n            preserve federal records when they use private email accounts for conducting\n            government business. Instead, in October 2012, in response to increased attention\n            brought on the agency due to media articles and inquires into the EPA records\n            retention practices, EPA officials placed an alert on its Intranet advising employees\n            the following:\n\n                  \xe2\x80\x9cDo not to use any outside mail systems to conduct official Agency\n                  business. If, during in an emergency, you use a non-EPA email\n                  system, you are responsible for ensuring that any email records and\n                  attachments are saved in your offices\xe2\x80\x99 recordkeeping system.\xe2\x80\x9d\n\n            Title 36 CFR Chapter XII \xe2\x80\x93 National Archives and Records Administration,\n            Part 1236, states that agencies that allow employees to send and receive official\n            electronic mail messages using a system not operated by the agency must ensure\n            that federal records sent or received on such systems are preserved in the\n            appropriate agency recordkeeping system.\n\n            The EPA had not developed or implemented policies or procedures regarding the\n            preservation of email messages sent or received from private email systems.\n            While the EPA alert advises employees not to use outside email systems to\n            conduct official business, the alert does not instruct employees on the\n            management and preservation of email messages sent from outside email systems\n            if it were to occur. Senior agency officials and office representatives cited reasons\n            why the complete nonuse of personal electronic equipment (which includes\n            computers, mobile devices and email accounts) when the employee is not within\n            the office is not practical.\n\n            Senior agency officials and office representatives noted as one reason the\n            proliferation of personal mobile devices that are not allowed access to the agency\xe2\x80\x99s\n\n\n\n13-P-0433                                                                                       6\n\x0c            network. The officials also cited as another reason the increased use of unscheduled\n            telework, during which employees unexpectedly worked off site when they did not\n            have their assigned government equipment with them. However, given these\n            growing concerns, the EPA had not taken steps to provide employees guidance as\n            to when they may use private electronic equipment\xe2\x80\x94including computers, mobile\n            devices and email accounts\xe2\x80\x94to conduct government business.\n\n            Without effective records management policies and procedures that address\n            collecting, maintaining and accessing records created from private email\n            accounts, the EPA risks the possibility that agency personnel are not conducting\n            government business in a manner consistent with management\xe2\x80\x99s desires. The EPA\n            also risks the possibility that agency personnel are not capturing potential records\n            needed to document agency decisions.\n\n            The EPA Lacks Records Management Training for Private and Alias\n            Email Usage\n\n            The EPA lacks internal controls to ensure that personnel are trained on their\n            responsibilities for preserving records from private and alias accounts used to\n            conduct official government business. As noted, the EPA does not have formal\n            guidance on the use of private email accounts and subsequently has not provided\n            training in this area. Further, the agency has not conducted training on its existing\n            records management policies and procedures, which govern government records\n            since 2009. Our discussion with agency representatives raises doubt as to whether\n            the EPA will meet the latest requirement to inform all personnel of their records\n            management responsibilities.\n\n            Federal guidance requires training of personnel on their records management\n            responsibilities. Specifically:\n\n               \xef\x82\xb7\t NARA states that federal agencies must provide guidance and training to\n                  all agency personnel on their records management responsibilities,\n                  including identification of federal records, in all formats and media.\n\n               \xef\x82\xb7\t OMB Circular A-123 reiterates management\xe2\x80\x99s responsibility for\n                  establishing internal control to train personnel to possess the proper\n                  knowledge and skills to perform their assigned duties. OMB Circular\n                  A-130 requires agencies to train all employees and contractors on their\n                  federal records management responsibilities.\n\n               \xef\x82\xb7\t OMB Memorandum M-12-18, Managing Government Records, requires\n                  agencies to inform employees of their records management responsibilities\n                  by December 31, 2014.\n\n            The EPA had not provided records management training to employees and\n            contractors in over 3 years. The agency last provided agencywide records\n\n\n13-P-0433                                                                                       7\n\x0c            management training in fiscal years 2007 and 2009. While the training discussed\n            creating records within government email systems, neither of these two training\n            courses addressed the usage of private email accounts to conduct official\n            government business. The training also has not been updated to place emphasis on\n            creating records when employees are assigned secondary email accounts. The\n            agency plans to incorporate the use of private or secondary email accounts in\n            future training courses to fulfill the OMB training requirement to inform\n            employees of their records management responsibilities. However the agency has\n            not established a firm date for when it would develop or offer the training course.\n\n            The EPA\xe2\x80\x99s NRMP did not establish controls to ensure consistent training of\n            records management responsibilities within the regional and program offices or\n            ensure employees with specific NRPM responsibilities took available training.\n            We noted that the EPA created an organizational structure for its records\n            management program with clearly defined roles and responsibilities. The EPA\n            also has training available for agency records officers, liaisons and coordinators.\n            However, the agency lacked processes to ensure the structure functioned as\n            intended and specialized training was taken when needed.\n\n            According to a program office records liaison officer, the officers rely upon the\n            headquarters NRPM official to provide training for them to use to train their\n            personnel. Records liaison officers could not provide records to show how many\n            personnel within their offices were trained on records management\n            responsibilities in general or specifically trained on the office\xe2\x80\x99s policy on using\n            personnel email accounts when conducting official government business. Our\n            interviews also disclosed that the agency relies upon the records liaison officers to\n            take additional training to carry out their delegated duties and the agency does not\n            monitor whether the records liaison officers took training.\n\n            The lack of consistent records management training increases the risk that agency\n            employees neither understand nor fully comply with federal records management\n            requirements. This also has led to records management training, when given,\n            being delivered in an ad hoc and informal manner with no measure to ensure the\n            information reached the specified target audience. As such, we believe the agency\n            has limited assurance that all applicable personnel are trained on records\n            management responsibilities, and raises questions as to whether any provided\n            training was delivered in sufficient frequency to ensure personnel could\n            appropriately carry out their responsibilities.\n\n            The EPA Lacks Practices for Collecting and Preserving Records for\n            Employees Separating From Regional Offices\n\n            The EPA lacks internal controls to ensure that regional offices consistently collect\n            and preserve electronic records for separating employees. Our audit disclosed that\n            regional offices lacked processes for notifying individuals with records\n            management responsibilities about employee separation from the agency, to\n\n\n\n13-P-0433                                                                                         8\n\x0c            ensure that all records were identified before the employee\xe2\x80\x99s departure.\n            Management at regional offices did not consistently validate that separating\n            employees turned over electronic records. This included collecting and preserving\n            electronic records in alias email accounts known as \xe2\x80\x9cmail-in accounts,\xe2\x80\x9d as well as\n            files on flash drives and external hard drives.\n\n            EPA Order 3110.5A and Employee Separation Checklist Form 3110-1 outline the\n            agency\xe2\x80\x99s employee separation procedures. The procedures state that management\n            is responsible for certifying receipt of items listed on Form 3110-1, which\n            includes the identification and transfer of agency records. The procedure assigns\n            departing employees with responsibility to identify and transfer agency records.\n            The procedure also assigns the employee\xe2\x80\x99s supervisor and program office records\n            manager responsibility to validate the receipt of records through signature.\n\n            Weaknesses within regional separation procedures exist due to the NRMP\n            manager not conducting oversight to ensure that federal records procedures were\n            fully integrated. Our review disclosed that regional notification procedures for\n            departing employees did not allow time to identify and preserve official records.\n            We also found that managers with records responsibilities did not consistently\n            take steps to validate collection and preservation of records before employee\n            departure. For example:\n\n               \xef\x82\xb7\t Regions lacked internal controls to ensure employee separation checklists\n                  reached individuals with records management responsibilities in order for\n                  them to preserve federal records. This included taking steps to have\n                  employees search for potential records residing within alias email\n                  accounts the employee manages or on other electronic media devices\n                  within the employee\xe2\x80\x99s control.\n\n               \xef\x82\xb7\t Some employees bypass their supervisor or administrative officer and go\n                  directly to the regional human resource office to start the separation\n                  process. As such, individuals tasked with records management\n                  responsibilities do not know that an employee is departing until the\n                  employee arrives with the separation checklist for clearance signature.\n\n               \xef\x82\xb7\t Regional separation checklists did not include an area where regional office\n                  managers tasked with records management responsibilities could sign off on\n                  employee separation forms. Some regional separation checklist forms did\n                  not include an agency requirement to identify and transfer records.\n\n               \xef\x82\xb7\t Regional office managers not tasked with records management\n                  responsibilities were signing off on employee separation forms without\n                  conducting steps to ensure that collection and preservation of the separating\n                  employees\xe2\x80\x99 electronic records had occurred. One regional human resource\n                  staff member also stated that they typically have to sign off on employee\n                  clearance forms for employees who depart at the end of the year, when most\n                  supervisors are taking leave (use or lose) at holiday time.\n\n\n13-P-0433                                                                                       9\n\x0c            Without effective employee separation processes that ensure identification and\n            collection of agency records from all electronic media used for collection and\n            storage, the EPA risks losing historical records that support its decisions. EPA\n            human resource offices are signing off that agency records were preserved even\n            though they were not in a position to know this information. The weaknesses have\n            also left regional counsels with insufficient time to have employees search to\n            ensure that all records are preserved for ligation holds, and with the information to\n            prompt employees to search for records that may be contained within alias email\n            accounts, flash drives and external hard drives.\n\n            The EPA Lacks Tool to Place Email in Its Electronic Content\n            Management System for Its New Email System\n\n            The EPA deployed its new email system without the capability to place new email\n            system records in its electronic content management system. During its audit, the\n            GAO noted that email records retention in the EPA was primarily a print-and-file\n            system and noted that the EPA developed an oversight plan and pilot-tested a\n            records management survey tool.\n\n            Subsequent to the GAO report, in fiscal year 2009, the EPA declared electronic\n            content management an agency-level weakness. In its fiscal year 2012 Agency\n            Financial Report, the EPA noted that inconsistencies in how electronic content is\n            maintained and stored have started to impact critical processes related to\n            electronic records management. The EPA cited as part of its corrective action plan\n            that it would launch two pilot projects to evaluate tools for eDiscovery and the\n            management of email records.\n\n            The EPA implemented its new email system without providing a means for agency\n            employees to create federal records in the agency\xe2\x80\x99s electronic content management\n            system. During the past 4 fiscal years, the EPA has been taking steps to complete\n            corrective actions to close out the electronic content management agency-level\n            weakness by the projected completion date of fiscal year 2013. Based on\n            information on the agency\xe2\x80\x99s electronic content management website, employees are\n            directed to print and file email records until an electronic content management\n            system is in place to store records. However, the website provides no information\n            as to when the EPA would provide a solution for creating federal records from its\n            new email system. We believe that the EPA will not be in a position to close out\n            the agency-level weakness by its projected fiscal year 2013 completion date.\n\nAgency Actions Prior to Issuance of Final Report\n\n            On June 28, 2013, the EPA issued Interim Records Management Policy\n            CIO 2155.2. This policy states that official agency business should first and\n            foremost be done on official EPA information systems (e.g., email, instant\n            messaging, computer work stations, and shared service solutions). The policy\n            specifies that the record creator must ensure that any use of a non-governmental\n\n\n13-P-0433                                                                                      10\n\x0c            system does not affect the preservation of federal records for Federal Records Act\n            purposes, or the ability to identify and process those records, if requested, under\n            the Freedom of Information Act or for other official business (e.g., litigation or\n            congressional oversight requests.).\n\n            Also, on July 31, 2013, the agency deployed its new mandatory records\n            management training for all agency staff, contractors and grantees that have\n            access to EPA information systems. The EPA indicated that over 30 percent of\n            agency employees have already taken the training.\n\nRecommendations\n            We recommend that the assistant administrator and chief information officer,\n            Office of Environmental Information:\n\n                1.\t\t Develop and implement records management policies and procedures\n                     regarding the use of private email accounts when conducting official\n                     government business.\n\n                2.\t\t Develop internal controls to ensure that all EPA employees and contractors\n                     complete training on their records management responsibilities.\n\n                3.\t\t Develop and implement internal controls to monitor and track completion\n                     of training for personnel with specific delegated duties and\n                     responsibilities outlined in the NRMP guidance.\n\n                4.\t\t Conduct outreach with all EPA offices to ensure that locally developed\n                     separation policies and procedures, as well as the associated employee\n                     separation checklist, include records management retention practices\n                     consistent with agency guidance. This should include ensuring that:\n\n                        a.\t\t Locations\xe2\x80\x99 out-processing procedures contain practices where\n                             notifications are sent to individuals with records management\n                             responsibilities in a timely manner to aid in capturing electronic\n                             records from separating employees.\n\n                        b.\t\t Locations include steps to have employees search for potential\n                             records residing within alias email accounts that the employee\n                             manages or on other electronic media devices within the\n                             employee\xe2\x80\x99s control.\n\n                        c.\t\t Locations have special out-processing procedures that contain a\n                             method for collecting records from departing employees during\n                             the holiday season or times of limited staffing.\n\n\n\n\n13-P-0433                                                                                         11\n\x0c                        d.\t\t Locations update their locally developed out-processing checklist\n                             to ensure an area exists for where records managers can note their\n                             records management certifications as required by agency policy.\n\n                   5.\t\t Establish a revised date for when the EPA will implement an\n                        electronic content management tool to capture email records within the\n                        agency\xe2\x80\x99s new email system.\n\nAgency Response and OIG Evaluation\n            The agency provided a corrective action plan with milestones to address all the\n            report recommendations. The agency completed corrective actions associated with\n            recommendations 1 and 2 and the OIG considers these recommendations closed.\n            Recommendations 3, 4 and 5 are considered open with corrective actions pending.\n\n            Although the EPA agreed to perform corrective actions for our recommendations,\n            the agency believed the report did not:\n\n               \xef\x82\xb7\t Recognize the distinction between secondary accounts used by EPA\n                  Administrators for a specific purpose and secondary email accounts used\n                  for purposes such as sending out mass email notifications, transmitting or\n                  receiving documents in support of special projects, or linking the email\n                  account to an agency publicly available website to provide the public with a\n                  method to correspond with the EPA.\n\n               \xef\x82\xb7\t Reflect the issuance of the EPA Interim Records Management Policy\n                  CIO 2155.2 on June 28, 2013, which strongly discourages the use of private\n                  non-EPA email accounts\n\n            Our audit disclosed that the agency uses secondary email accounts similarly\n            throughout the EPA. These secondary email accounts can send and receive email\n            messages as well as create records that could be subject to Freedom of Information\n            Act or litigation requests. The agency also had not implemented policies that make\n            distinctions between secondary email accounts used by senior agency official and\n            secondary email accounts used for other purposes. As such, we made no\n            differentiation between these accounts during our audit. Our audit disclosed that\n            secondary email accounts pose risks to the agency and the EPA should take steps to\n            strengthen the management control structure surrounding these accounts.\n\n            We updated the final report to recognize that the EPA issued its interim records\n            management procedure subsequent to the OIG issuing its discussion draft report.\n\n\n\n\n13-P-0433                                                                                    12\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n                                                                                                                               POTENTIAL MONETARY\n                                                   RECOMMENDATIONS                                                              BENEFITS (in $000s)\n\n                                                                                                                   Planned\n    Rec.    Page                                                                                                  Completion   Claimed    Agreed-To\n    No.      No.                         Subject                          Status1        Action Official             Date      Amount      Amount\n\n     1       11     Develop and implement records management                C       Assistant Administrator and    6/28/13\n                    policies and procedures regarding the use of                     Chief Information Officer,\n                    private email accounts when conducting official                   Office of Environmental\n                    government business.                                                    Information\n\n     2       11     Develop internal controls to ensure that all EPA        C       Assistant Administrator and    7/31/13\n                    employees and contractors complete training on                   Chief Information Officer,\n                    their records management responsibilities.                        Office of Environmental\n                                                                                            Information\n\n     3       11     Develop and implement internal controls to monitor      O       Assistant Administrator and    12/31/13\n                    and track completion of training for personnel with              Chief Information Officer,\n                    specific delegated duties and responsibilities                    Office of Environmental\n                    outlined in the NRMP guidance.                                          Information\n\n     4       11     Conduct outreach with all EPA offices to ensure         O       Assistant Administrator and    12/31/13\n                    that locally developed separation policies and                   Chief Information Officer,\n                    procedures, as well as the associated employee                    Office of Environmental\n                    separation checklist, include records management                        Information\n                    retention practices consistent with agency\n                    guidance. This should include ensuring that:\n                     a. Locations\xe2\x80\x99 out-processing procedures contain\n                        practices where notifications are sent to\n                        individuals with records management\n                        responsibilities in a timely manner to aid in\n                        capturing electronic records from separating\n                        employees.\n                     b. Locations include steps to have employees\n                        search for potential records residing within\n                        alias email accounts that the employee\n                        manages or on other electronic media devices\n                        within the employee\xe2\x80\x99s control.\n                     c. Locations have special out-processing\n                        procedures that contain a method for\n                        collecting records from departing employees\n                        during the holiday season or times of limited\n                        staffing.\n                     d. Locations update their locally developed out-\n                        processing checklist to ensure an area exists\n                        for where records managers can note their\n                        records management certifications as required\n                        by agency policy.\n\n     5       12     Establish a revised date for when the EPA will          O       Assistant Administrator and    12/31/13\n                    implement an electronic content management tool                  Chief Information Officer,\n                    to capture email records within the agency\xe2\x80\x99s new                  Office of Environmental\n                    email system.                                                           Information\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n13-P-0433                                                                                                                                        13\n\x0c                                                                                     Appendix A\n\n                   Agency Response to Draft Report\n                                         August 27, 2013\n\nMEMORANDUM\n\nSUBJECT: \t Response to the Office of Inspector General Draft Report No. OA-FY13-0113\n           Congressionally Requested Inquiry into the EPA\xe2\x80\x99s Use of Private and Alias Email\n           Accounts, dated July 19, 2013\n\nFROM: \t        Renee P. Wynn\n               Acting Assistant Administrator and Chief Information Officer\n\nTO:\t           Arthur A. Elkins, Jr.\n               Inspector General\n\nThank you for the opportunity to respond to the issues and recommendations described in Draft\nReport No. OA-FYI3-0113.\n\nOver the last several months, the agency has undertaken many important actions designed to\nimprove the agency\'s records management and preservation program. Because of the connection\nbetween these efforts and some of the issues discussed in your draft report, and because we\nbelieve the report should be evaluated with an understanding of these efforts, I detail the efforts\nbelow.\n\n       Improved Training on Information Management Responsibilities\n\nThe EPA has launched a multi-faceted training effort to ensure every employee at the agency\nunderstands his or her records management responsibilities. First and foremost in the agency\'s\ntraining program is mandatory training for all employees of the EPA on records management. On\nJuly 31,2013, Deputy Administrator Robert Perciasepe announced the availability of this new\ntraining, reminding employees that "records management is the daily responsibility of every EPA\nemployee." The training focuses on the foundations of records management, providing guidance\non how to identify and preserve Federal records. Less than three weeks after the training was\nannounced - and more than a month before the training must be completed on September 30,\n2013 - over 30% of agency employees have already taken the training.\n\nIn addition to training for all employees, the EPA is working with the Department of Justice\'s\nOffice of Information Policy on in-depth training for the agency\'s Freedom of Information Act\n(FOIA) professionals. The Office of Information Policy is the office within the Department of\nJustice that develops guidance for Executive Branch agencies on our responsibilities under\nFOIA, and is understood by government and non-government organizations alike as the\ngovernment\'s foremost FOIA experts. The EPA is excited to welcome DOJ for this training,\nwhich the agency expects to conduct in September 2013.\n\n\n13-P-0433                                                                                        14\n\x0cFollowing up on 2013\'s Records Management training, the EPA will conduct mandatory training\nfor all of our employees on their individual and collective responsibilities ttt1der FOIA in 2014.\nThis training is expected to focus on the requirements of FOIA; the importance of timely,\naccurate responses; and the role every employee plays in the agency\'s efforts to comply with the\nAct. In addition to these training modules, the EPA has completely overhauled our Records\nintranet site. This site, at http://intranet.epa.gov/records, serves as an agency-wide records\nmanagement resource, and provides guidance to employees as well as links to a variety of\ninformation law resources.\n\n       Updated Policies For Employee Conduct\n\nIn addition to a renewed focus on training for employees, the EPA has begun the process of\nreviewing, updating, and reissuing agency policies for the effective management of agency\ninformation resources. First among that effort was a review of the agency\'s Records Policy, with\nthe specific intent of addressing the use of personal email and consolidating our records retention\nschedules to make them easier for staff to use and more adaptable to electronic records\nmanagement tools.\n\nIn June 2013, the EPA issued its Interim Records Management Policy CI0-2155.2, which\nstrongly discourages the use of private non-EPA email accounts, stating that "Official Agency\nbusiness should first and foremost be done on official EPA information systems." Further, the\nInterim Policy goes on to instruct employees on how to manage and preserve email messages\nsent from outside email systems if use of a non-EPA email system were to occur. The Interim\nPolicy instructs employees that once the electronic files have been captured in an approved EPA\nrecords management system, they should be removed from non-EPA information systems, unless\nsubject to an obligation to preserve the files in their original location. The EPA initiated the\nprocess to finalize this policy shortly after issuing in interim form.\n\nOn September 30th, the EPA will issue its first agency-wide Interim FOIA Procedures. The EPA\nexpects these procedures will increase consistency and predictability in the processing of FOIA\nrequests across the agency\'s programs and regions. The procedures define key roles and\nresponsibilities in the processing of FOIA requests, and detail the basic steps of processing a\nrequest, from receipt to document collection to production.\n\n       Advanced Technology for Managing Agency Information\n\nThe EPA has also embarked on an ambitious effort to improve the technology available to\nemployees for managing, preserving, and producing agency information. In 2010, the EPA\nestablished the Electronic Content Subcommittee of the Quality and Information Council. (The\nCouncil was established in 1999, to address enterprise-wide information management issues and\nto develop agency policies to guide the EPA in the areas of information technology and\ninformation management.) The Electronic Content Subcommittee was established to focus\nparticularly on the challenge of creating, preserving, maintaining, and retrieving the range of\nelectronic information at the agency. Under the auspices of that Committee, the agency\'s\neDiscovery Workgroup led the way in launching an enterprise-wide litigation hold solution\nin October of2012. For the first time, the EPA now issues, maintains, tracks, and monitors all\nlitigation holds issued to agency employees in a single system. This consolidation helps the\n\n\n13-P-0433                                                                                       15\n\x0cagency ensure it is preserving all information subject to a litigation-based preservation\nobligation, and increases consistency and efficiency at the same time. The Workgroup has also\nmade significant progress towards the full launch of electronic search and review tools that will\nbe used for more comprehensive and efficient information requests and document productions.\n\nThe agency is also poised to release an "EZ Records" tool to assist employees with their records\nmanagement obligations. The EZ Records tool will allow employees to designate emails as\nrecords with just one click of a mouse, increasing the likelihood that employees will preserve\nemail records as soon as they are created. To help encourage use of the tool, in October 2013, the\nEPA will launch an Agency-wide, mandatory training on how to capture email records using the\nnew EPA-developed tools for records preservation.\n\n\nResponse to the Draft Report\n\nThe agency has welcomed this evaluation by the Office of Inspector General. The "Agency\'s\nResponse to Report Recommendations" attachment details EPA\'s response to each\nrecommendation and provides an estimated date of completion. In addition to the responses to\nthe Report\'s specific recommendations, the agency would also like to respond to certain aspects\nof the narrative portions of the report as well.\n\nSpecifically on the use of private, non-EPA email accounts, the report correctly finds that the\nagency has not "promoted or encouraged the use of private \' non-governmental\' email accounts to\nconduct official government business." In fact, the agency has taken many steps to discourage\nthe use of non-EPA email accounts unless necessitated by special circumstances. Since 2009, the\nagency has stated both in its records training for senior officials and on its records intranet site\nFrequently Asked Questions that EPA staff generally should not use non-government email\naccounts to conduct official agency business. EPA\'s records officer provides this information as\npart of the on-boarding process for political appointees and senior officials in Headquarters, as\nwell as consults with Records Liaison Officers to provide this information to officials located in\nthe agency\'s regional office. We believe that the report should more clearly recognize these\nprevious efforts to provide guidance on this issue. In addition, the report does not reflect that all\nemployees at headquarters receive basic records management training as part of the onboarding\nprocess, and are provided information about the extensive self-help section of the Records\nProgram intranet site.\n\nThe agency believes that the report could be more helpful for our efforts to improve our records\nmanagement program by making a clearer distinction among the types of email accounts\naddressed in the report. The report uses both "private" and "personal" to describe email accounts\nthat are not maintained on an EPA system. We encourage the OIG to use consistent\nnomenclature in the final report, to ensure all recipients of the report understand the guidance\nprovided.\n\nWe also strongly encourage the OIG to more clearly distinguish between non-EPA email\naccounts and "secondary" official epa.gov email accounts. Secondary epa.gov accounts are\nofficial government accounts that are assigned to an employee to a program within the EPA as\npart of that employee\'s or programs official government duties. Emails sent to or from these\n\n\n13-P-0433                                                                                         16\n\x0caccounts are sent two or from the EPA email system in the same manner and form as an email to\nor from a "primary" account is sent to or from the EPA email system. These accounts are\ndifferent from non-EPA email accounts, and, as such the two may require different actions to\nensure compliance with an employee\'s information management responsibilities.\n\nAdditionally, the report also seems to conflate various types of secondary official epa.gov email\naccounts. There are a variety of uses for secondary accounts that are different from a regular, day\nto day email account of a single employee. Currently, the agency has only identified a need for\nthe Administrator or Deputy Administrator to have a secondary account that is specific to her or\nhim and that is used as her or his day to day official government email account. These secondary,\nofficial government accounts permit the Administrator and Deputy Administrator to conduct\nagency business by maintaining a manageable, working email account for daily correspondence\nwith staff and other officials, and the EPA\'s practice of issuing such accounts has been reported\nand documented to the National Archives and Records Administration (NARA) since 2008. This\npractice is appropriate and commonplace within the federal government. The Administrator\'s\nprimary account, which is provided to the public, is rendered impractical because of the large\nvolume (over 1 million emails annually) of mail it receives from outside the agency. The EPA\nactively monitors both the primary and secondary accounts, and ensures that all emails to either\ntype of account are properly reviewed for preservation under the Federal Records Act and\nproduced under the FOIA or other production obligation. The agency strongly believes that the\nfinal report should more clearly reflect the very limited existence and use of this type of\nsecondary official email account.\n\nThe other types of "secondary" accounts discussed in the report are generally not accounts\nassigned to or used by an individual employee for her day to day email communications. These\naccounts are also used for practical purposes, such as sending out mass email notifications,\ntransmitting or receiving documents in support of special projects, or linking the email account\nto a publicly available website of the agency to provide the public with a method to correspond\nwith the EPA. An example of this type of secondary account is the "contact us" email account for\nthe EPA\'s Sun Wise program. This account is used to answer questions from the public about the\nSun Wise program and is designated as Sun Wise Staff (sunwise@epa.gov) . This type of\nsecondary account might be more clearly identified as a "group" account or "special purpose"\naccount. We strongly believe that the final report should make this distinction, and clarify the\ndraft report\'s conclusion that: "This practice is widely used within the agency and not limited to\nsenior officials.\'\' My office has no information that indicates the use of "secondary" day to day\ngovernment email accounts, such as the one used by the Administrator and which was the\nsubject of the Congressional inquiry, is widely used within the agency, and the draft report does\nnot include information to the contrary.\n\nThe use of both types of secondary accounts is authorized and appropriate, therefore, the agency\nhas not reprimanded, counseled, or taken administrative actions against personnel using the\naccounts for conducting official government business. Use of secondary accounts does not alter\nor interfere with the preservation requirements under the Federal Records Act or disclosure\nrequirements under the Freedom of Information Act and Congressional document requests.\nFurther, all agency-issued email accounts, including primary accounts and any type of secondary\naccounts, are subject to the same current agency records policies and procedures for managing\n\n\n\n13-P-0433                                                                                       17\n\x0crecords, both created and received on these accounts and are subject to the current agency\ndisclosure policies for responding to information requests. In addition, the report does not\nindicate in the Scope and Methodology section that staff members who manage the\nsecondary official government account assigned to the Administrator were consulted during this\naudit. I believe that these individuals may provide valuable additional information about existing\npractices and procedures for capturing and producing records from these accounts to ensure the\nagency complies with preservation and disclosure requirements.\n\nFinally, while the agency agrees with many of the recommendations in the report, some of the\nrecommendations (specifically 3 and 4) go beyond the issue of "Private and Alias\'\' email account\nusage. As you can see from the information detailed above, these recommendations relate to\nissues already identified and actively being addressed by the EPA\'s Office of Environmental\nInformation (OEI).\n\nOur response to your recommendations is attached.\n\nWe look forward to discussing this report with you and to working with your office to improve\nEPA\'s records management program. If you have any questions regarding this response, please\ncontact John Ellis, Agency Records Officer, of the Office of Information Collection/Collection\nStrategies Division/Records and Content Management Branch on (202) 566-1643.\n\nAttachment\n\ncc: \t   Vaughn Noga\n        Andrew Battin\n        Jeff Wells\n        John Moses\n        Erin Collard\n        John Ellis\n        Scott Dockum\n        Brenda Young\n\n\n\n\n13-P-0433                                                                                        18\n\x0c            AGENCY\xe2\x80\x99S RESPONSE TO RECOMMENDATIONS: OIG Report OA-FY13-113 \n\n\nNo.   Draft Report Recommendation                    Agency Response                  Estimated\n                                                                                    Completion by\n                                                                                    Quarter and FY\n1.    Develop and implement records          EPA issued an Interim Records        Completed Q3\n      management policies and                Management Policy CIO-2155.2,        FY2013\n      procedures regarding the use of        on June 28, 2013 which strongly\n      private email accounts when            discourages the use of private\n      conducting official government         non-EPA email accounts and\n      business. (page 11)                    instructs employees on the\n                                             management and preservation of\n                                             email messages sent from outside\n                                                                                  In progress Q3\n                                             email systems if it were to occur.\n                                                                                  FY2014\n                                             EPA has initiated a process to\n                                             finalize Records Management\n                                             Policy CIO-2155.2\n2.    Develop internal controls to           EPA developed mandatory              In progress - Q4\n      ensure that all EPA employees          records management training for      FY2013\n      and contractors complete training      all EPA staff, contractors and\n      on their records management            grantees. The training was\n      responsibilities. (page 11)            deployed agencywide July 31,\n                                             2013 and is to be completed by\n                                             September 30, 2013.\n3.    Develop and implement internal         Records Liaison Officers are         Q1 FY2014\n      controls to monitor and track          required to obtain the NARA\n      completion of training for             Certification in Federal Records\n      personnel with specific delegated      Management. This training is\n      duties and responsibilities outlined   tracked by NARA and\n      in the National Records                periodically reported to the\n      Management Program (NRMP)              Agency Records Officers.\n      guidance. (page 11)                    Although this recommendation\n                                             does not appear to specifically\n                                             relate to private or secondary\n                                             email accounts, the NRMP will\n                                             request an updated report from\n                                             NARA and follow-up with any\n                                             RLO that has not received the\n                                             certification. Non compliance\n                                             will be reported to the\n                                             management for appropriate\n                                             action.\n4.    Conduct outreach with all EPA          EPA\xe2\x80\x99s National Records               Q1 FY 2014\n      offices to ensure that locally         Management Program, via the\n      developed separation policies and      Quality and Information Council\xe2\x80\x99s\n      procedures, as well as the             agency-wide Records Workgroup,\n      associated employee separation         has been working with OARM to\n      checklist, include records             develop a consolidated employee\n      management retention practices         separation and transfer procedure.\n      consistent with agency guidance.       Although this recommendation\n\n\n\n13-P-0433                                                                                            19\n\x0c      This should include ensuring that:    does not appear to specifically\n                                            relate to private or secondary\n      a. Locations\xe2\x80\x99 out-processing          email accounts, the procedure will\n      procedures contain practices          include a requirement that\n      where notifications are sent to       Records Liaison Officers, Records\n      individuals with records              Contacts and Document Control\n      management responsibilities in a      Staff are notified 2 weeks in\n      timely manner to aid in capturing     advance of an employee\xe2\x80\x99s\n      electronic records from separating    separation, when possible. This\n      employees. (page 11)                  will alert the staff with specific\n                                            records management\n                                            responsibilities to aid separating\n                                            staff in capturing their records.\n4.    b. Locations include steps to have    EPA\xe2\x80\x99s National Records             Q1 FY 2014\n      employees search for potential        Management Program, via the\n      records residing within alias email   Quality and Information Council\xe2\x80\x99s\n      accounts that the employee            agency-wide Records Workgroup,\n      manages or on other electronic        and OARM will include in the\n      media devices within the              separation process and procedures,\n      employee\xe2\x80\x99s control. (page 11)         steps to have employees search for\n                                            potential records residing within\n                                            the secondary or group email\n                                            accounts that the employee\n                                            manages. A checklist will also be\n                                            provided which will include all\n                                            possible locations where records\n                                            (paper and electronic) might be\n                                            found.\n4.    c. Locations have special out-        Although this recommendation       Q1 FY 2014\n      processing procedures that contain    does not appear to specifically\n      a method for collecting records       relate to private or secondary\n      from departing employees during       email accounts, the EPA\xe2\x80\x99s\n      the holiday season or times of        National Records Management\n      limited staffing. (page 11)           Program, via the Quality and\n                                            Information Council\xe2\x80\x99s agency-\n                                            wide Records Workgroup, and\n                                            OARM will include in the\n                                            separation procedure safeguards to\n                                            ensure that separating employee\n                                            information is captured during the\n                                            holiday season and other times of\n                                            limited staffing.\n4.    d. Locations update their locally     Although this recommendation       Q1 FY2014\n      developed out-processing              does not appear to specifically\n      checklist to ensure an area exists    relate to private or secondary\n      for where records managers can        email accounts, the EPA\xe2\x80\x99s\n      note their records management         National Records Management\n      certifications as required by         Program and OARM will include\n      agency policy. (page 12)              in the separation process and\n                                            procedures an out-processing\n                                            checklist to ensure an area exists\n\n\n13-P-0433                                                                                   20\n\x0c                                            for records managers to certify as\n                                            required by policy.\n5.    Establish a revised date for when     In addition to the Lotus Notes       Q4 FY2013\n      the EPA will implement an             email records solution, which is\n      electronic content management         already developed, an email\n      tool to capture email records         records solution for MS Office\n      within the agency\xe2\x80\x99s new email         365 is under development.\n      system. (page 12)\n                                            Although this recommendation         Q1 FY2014\n                                            does not appear to specifically\n                                            relate to private or secondary\n                                            email accounts, the EPA will\n                                            deploy agency-wide the email\n                                            records solution for both Lotus\n                                            Notes and MS Office 365.\n\nNo.                Findings                  Agency Explanation/Response         Proposed Alternative\n\n1.    The report states that, \xe2\x80\x9cthe          This statement does not recognize    Revise the report to\n      previous EPA Administrator and        the distinction between secondary    recognize this\n      current Acting EPA Administrator      accounts used by EPA                 distinction.\n      each had two EPA email accounts,      Administrators for a specific\n      one intended for messages from        purpose, and secondary email\n      the public and one for                accounts used for purposes such\n      communicating with select senior      as sending out mass email\n      officials.\xe2\x80\x9d (page 5) Further the      notifications, transmitting or\n      report notes, \xe2\x80\x9cthat the practice of   receiving documents in support of\n      assigning personnel access to         special projects, or linking the\n      multiple email accounts is widely     email account to an agency\n      practiced within the agency.\xe2\x80\x9d         publicly available website to\n      (page 5)                              provide the public with a method\n                                            to correspond with the EPA.\n2.    The report states that \xe2\x80\x9cEPA had       Please modify the statement to       Revise the report to\n      not developed or implemented          reflect the issuance of the EPA      indicate that EPA put\n      policies or procedures regarding      Interim Records Management           in place policy and\n      the preservation of email             Policy CIO-2155.2, on June 28,       procedures and\n      messages sent or received from        2013 which strongly discourages      training regarding the\n      private email systems.\xe2\x80\x9d (page 6)      the use of private non-EPA email     proper management of\n      Further, the report notes that        accounts and instructs employees     email records sent\n      [EPA], \xe2\x80\x9c\xe2\x80\xa6does not instruct            on the management and                from private accounts.\n      employees on the management           preservation of email messages\n      and preservation of email             sent from outside email systems if\n      messages sent from outside email      it were to occur.\n      systems if it were to occur.\xe2\x80\x9d (page   EPA has initiated the process to     In progress Q3\n      6)                                    finalize EPA Records                 FY2014\n                                            Management Policy CIO-2155.2\n\n\n\n\n13-P-0433                                                                                               21\n\x0c                                                                                 Appendix B\n\n                                     Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nPrincipal Deputy Assistant Administrator for Environmental Information\nDirector, Office of Information Collection, Office of Environmental Information\nDeputy Director, Office of Information Collection, Office of Environmental Information\nAudit Follow-Up Coordinator, Office Environmental Information\n\n\n\n\n13-P-0433                                                                                22\n\x0c'